Application / Certificate Performance Issues with Vista and FDCC

Summary

In the process of defining the FDCC image, the National Institute of Standards (NIST) included several Federal and DoD Root and Intermediate x509 certificates in the FDCC Vista Trusted Root and Intermediate Certification Authorities stores. Several of these certificates are cross-certified. When the Vista CryptoAPI (CAPI) is called by a process (e.g. Iexplore.exe validating a website’s SSL certificate), the CAPI chaining engine attempts to retrieve any certificate in the store cross-signing certificate. If the system is unable to reach the retrieval URL (stored in the certificate Subject Information Access extension) the CAPI chaining engine will timeout after 15 seconds. This can cause slow performance in applications that call the CAPI.

Symptoms

·Connecting to SSL enable websites will take a long time or timeout.

·Applications will be extremely slow and/or throw odd errors.

Cause

The VISTA CAPI chaining engine is unable to pull a cross-signing certificate. Each chaining attempt will timeout after 15 seconds. If the computer’s Intermediate Certification Authorities store contains multiple cross-signed certificates the CAPI-calling application will wait until all chaining attempts have succeeded or timed out. This can cause the application to pause for extremely long periods or produce odd errors.

Example

A laptop connecting via a modem using the Cisco VPN client will take ~14 minutes to call the modem dialer or produce the following error:

Secure VPN Connection terminated locally by the Client.

Reason 415: A required component PPPTool.exe is not present among the installed client software.

Connection terminated on: <date> Duration: <value>

Multiple errors are found within the CAPI2 event log. (to enable the CAPI2 eventlog start Eventvwr -> Application and Services Logs -> Microsoft -> Windows -> CAPI2 -> Operational -> right click Enable Log). The CAPI chaining engine cannot reach the URL because the system is unable to communicate to the Internet. Note that the “ProcessName” is cvpnd.exe which is the Cisco VPN service.

Note: The Cisco VPN client software requires the following certificate in the computer’s Trusted Root Certification Authorities store to establish a chain of trust (not included in the FDCC image, see Additional Information).

Solutions

Method 1:

Microsoft is currently testing a hotfix to provide the ability to disable the cross-signed certificate chaining retrieval process. This hotfix is currently undergoing testing and is not publicly released. Microsoft Customers who have an Enterprise Agreement may obtain the hotfix through their Account Manager or Technical Account Manager (Premier contract holders). Reference number: KB Article Number(s): 955805

Specifies whether to automatically update root certificates using the Windows Update Web site.Typically, a certificate is used when you use a secure Web site or when you send and receive secure e-mail. Anyone can issue certificates, but to have transactions that are as secure as possible, certificates must be issued by a trusted certificate authority (CA). Microsoft has included a list in Windows XP and other products of companies and organizations that it considers trusted authorities.If you enable this setting, when you are presented with a certificate issued by an untrusted root authority your computer will not contact the Windows Update web site to see if Microsoft has added the CA to its list of trusted authorities.If you disable or do not configure this setting, your computer will contact the Windows Update Web site.